Posted
by
msmash
on Friday January 26, 2018 @11:40AM
from the closer-look dept.

itwbennett writes: The BSDs have lost the battle for mindshare to Linux, and that may well bode ill for the future sustainability of the BSDs as viable, secure operating systems, writes CSO's JM Porup. The reason why is a familiar refrain: more eyeballs mean more secure code. Porup cites the work of Ilja von Sprundel, director of penetration testing at IOActive, who, noting the "small number of reported BSD kernel vulnerabilities compared to Linux," dug into BSD source code. His search 'easily' turned up about 115 kernel bugs. Porup looks at the relative security of OpenBSD, FreeBSD and NetBSD, the effect on Mac OS, and why, despite FreeBSD's relative popularity, OpenBSD may be the most likely to survive.

Posted
by
EditorDavid
on Monday January 08, 2018 @06:34AM
from the what's-inside-besides-Intel dept.

troublemaker_23 quotes ITWire:
Disclosure of the Meltdown and Spectre vulnerabilities, which affect mainly Intel CPUs, was handled "in an incredibly bad way" by both Intel and Google, the leader of the OpenBSD project Theo de Raadt claims. "Only Tier-1 companies received advance information, and that is not responsible disclosure -- it is selective disclosure," De Raadt told iTWire in response to queries. "Everyone below Tier-1 has just gotten screwed."
In the interview de Raadt also faults intel for moving too fast in an attempt to beat their competition. "There are papers about the risky side-effects of speculative loads -- people knew... Intel engineers attended the same conferences as other company engineers, and read the same papers about performance enhancing strategies -- so it is hard to believe they ignored the risky aspects. I bet they were instructed to ignore the risk."

He points out this will make it more difficult to develop kernel software, since "Suddenly the trickiest parts of a kernel need to do backflips to cope with problems deep in the micro-architecture." And he also complains that Intel "has been exceedingly clever to mix Meltdown (speculative loads) with a separate issue (Spectre). This is pulling the wool over the public's eyes..."

Posted
by
EditorDavid
on Sunday October 22, 2017 @11:24AM
from the address-space-layout-randomization dept.

24 years after its release, NetBSD is getting a security upgrade -- specifically, Address Space Layout Randomization (ASLR). An anonymous reader writes:
Support for Kernel ASLR was added on NetBSD-amd64 a few weeks ago. KASLR basically randomizes the address of the kernel, and makes it harder to exploit several classes of vulnerabilities [including privilege escalations and remote code execution]. It is still a work-in-progress, but it's already fully functional, and can be used following the instructions on this post from the NetBSD blog. It will be available starting from NetBSD 9, but may be backported to NetBSD 8 once it is stabilized.
NetBSD says they're the first BSD system to support ASLR.

Posted
by
BeauHDon Monday October 09, 2017 @05:10PM
from the new-and-improved dept.

basscomm writes: OpenBSD 6.2 has now been released. Check out the release notes if you're into that kind of thing. Some of the new features and systems include improved hardware support, vmm(4)/ vmd(8) improvements, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements and more. Here is the full list of changes.

Posted
by
BeauHDon Thursday July 27, 2017 @05:40PM
from the new-and-improved dept.

Billly Gates writes: Linux is not the only free open-source operating system. FreeBSD, which is based off of the historical BSD Unix in which TCP/IP was developed on from the University of California at Berkeley, has been updated. It does not include systemd nor PulseAudio and is popular in many web server installations and networking devices. FreeBSD 11.1 is out with improvements in UEFI and Amazon cloud support in addition to updated userland programs. EFI improvements including a new utility efivar(8) to manage UEFI variables, EFI boot from TFTP or NFS, as well as Microsoft Hyper-V UEFI and Secure Boot for generation 2 virtual machines for both Windows Server and Windows 10 Professional hosts. FreeBSD 11.1 also has extended support Amazon Cloud features. A new networking stack for Amazon has been added with the ena(4) driver, which adds support for Amazon EC2 platform. This also adds support for using Amazon EC2 NFS shares and support for the Amazon Elastic Filesystem for NFS. For application updates, FreeBSD 11.1 Clang, LLVM, LLD, LLDB, and libc++ to version 4.0.0. ZFS has been updated too with a new zfsbootcfg with minor performance improvements. Downloads are here which include Sparc, PowerPC, and even custom SD card images for Raspberry Pi, Beagle-bone and other devices.

Posted
by
EditorDavid
on Saturday June 24, 2017 @11:34AM
from the escalating-privileges dept.

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

Posted
by
BeauHDon Wednesday March 15, 2017 @06:20PM
from the on-the-up-and-up dept.

New submitter fisted writes: The NetBSD Project is pleased to announce NetBSD 7.1, the first feature update of the NetBSD 7 release branch. It represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements. Some highlights of the 7.1 release are:

NetBSD is free. All of the code is under non-restrictive licenses, and may be used without paying royalties to anyone. Free support services are available via our mailing lists and website. Commercial support is available from a variety of sources. More extensive information on NetBSD is available from http://www.NetBSD.org. You can download NetBSD 7.1 from one of these mirror sites.

Posted
by
EditorDavid
on Saturday October 29, 2016 @05:34PM
from the Unix-like-operating-systems dept.

An anonymous reader writes:
"After spending six months in development, the NetBSD 7.0.2 release is now available for those running NetBSD 7.0 or NetBSD 7.0.1," reports Softpedia, "but also for those who are still using an older version of the BSD-based operating system and haven't managed to upgrade their systems, bringing them a collection of security patches and recent software updates." Release engineer Soren Jacobsen wrote that "It represents a selected subset of fixes deemed important for security or stability reasons. If you are running an earlier release of NetBSD, we strongly suggest updating to 7.0.2."

The security fixes eliminate a race condition in mail.local(8), and also update OpenSSL, ntp and BIND. In addition, "there are various MIPS pmap improvements, a patch for an NFS (Network File System) crash, as well as a crash that occurred when attempting to mount an FSS snapshot as read and write. NetBSD 7.0.2 also fixes an issue with the UFS1 file system when it was created outside the operating system."
Download NetBSD 7.0.2 at one of these mirror sites.

Posted
by
EditorDavid
on Monday October 10, 2016 @02:21PM
from the going-up-to-11 dept.

Long-time Slashdot reader basscomm writes, "After a couple of delays, FreeBSD 11 has been released. Check out the release notes here."
The FreeBSD Foundation writes:
The latest release continues to pioneer the field of copyfree-licensed, open source operating systems by including new architecture support, performance improvements, toolchain enhancements and support for contemporary wireless chipsets.
The new features and improvements bring about an even more robust operating system that both companies and end users alike benefit greatly from using.
FreeBSD 11 supports both the ARMv8 and RISC-V architectures, and also supports the 802.11n wireless networking standard. In addition, OpenSSH has been updated to 7.2p2, and OpenSSH DSA key generation has been disabled by default, so "It is important to update OpenSSH keys prior to upgrading."

Posted
by
EditorDavid
on Monday September 26, 2016 @06:34AM
from the browser-booting dept.

Long-time Slashdot reader DeQueue writes: Back in 2011 Fabrice Bellard, the initiator of the QEMU emulator, wrote a PC emulator in JavaScript that let you boot Linux in your browser. But he didn't stop there.

On his website he now has images that let you boot Oberon, Arch Linux, FreeDOS, OpenBSD, Solar OS and more recent versions of Linux such as 2.6 or 3.18 (the 3.18 image includes internet access). You can also boot to a CD image, or a floppy image, or a hard drive disk image on your local machine. And, if you don't need yet another operating system on your computer, you can even boot to Bootchess and play chess

Posted
by
BeauHDon Friday September 02, 2016 @05:00AM
from the fun-for-the-whole-family dept.

prisoninmate quotes a report from Softpedia: By following a rolling release model, TrueOS promises to be a cutting-edge and modern FreeBSD-based operating system for your personal computer, designed with security and simplicity in mind -- all while being stable enough to be deployed on servers. TrueOS will also make use of the security technologies from the OpenBSD project, and you can get your hands on the first Beta ISO images right now. The development team promises to offer you weekly ISO images of TrueOS, but you won't have to download anything anymore due to constant updates thanks to the rolling release model. TrueOS will use LibreSSL instead of OpenSSL, offer Linux DRM 4.7 compatibility for supporting for Intel Skylake, Haswell, and Broadwell graphics, and uses the pkg package manage system by default. "TrueOS combines the convenience of a rolling release distribution with the failsafe technology of boot environments, resulting in a system that is both current and reliable. TrueOS now tracks FreeBSD's 'Current' brand and merges features from select FreeBSD developer branches to enhance support for newer hardware and technologies," reads today's announcement.

Posted
by
BeauHDon Thursday September 01, 2016 @07:10PM
from the new-and-improved dept.

LichtSpektren writes: Version 6.0 of the free operating system OpenBSD has just been released. This release features much improved hardware and armv7 support, a new tool called proot for building software ports in an isolated chroot environment, W^X that is now strictly enforced by default, and removal of official support for Linux emulation, usermount, and systrace. The release announcement can be read here. The release is OpenBSD's 40th release on CD-ROM and 41st release via FTP/HTTP.

Posted
by
EditorDavid
on Sunday July 17, 2016 @10:35AM
from the trusted-sources dept.

Slashdot reader disccomp shares an article from Ars Technica:
In an advisory posted Wednesday, Juniper officials said they just fixed a bug in the company's Junos operating system that allowed adversaries to masquerade as trusted parties. The impersonation could be carried out by presenting a forged cryptographic certificate that was signed by the attacker rather than by a trusted certificate authority that normally vets the identity of the credential holder...

"It seems that Junos was accepting specially crafted, invalid certificates as trusted," said Stephen Checkoway, a computer scientist at the University of Illinois at Chicago who recently focused on security in Juniper products. "This would enable anyone to create a VPN connection and gain access to the private network, e.g., a private, corporate network."

Posted
by
msmash
on Wednesday June 22, 2016 @01:00PM
from the security-woes dept.

Reader itwbennett writes: Researchers from Cisco Systems' Talos group have found three memory corruption errors in the widely used open-source library libarchive that can result in arbitrary code execution and can be exploited by passing specially crafted files to applications that contain the vulnerable code. "The library is used by file and package managers included in many Linux and BSD systems, as well as by components and tools in OS X and Chrome OS," writes Lucian Constantin. "Developers can also include the library's code in their own projects, so it's hard to know how many other applications or firmware packages contain it." (Original blog post) So, while the libarchive maintainers have released patches for the flaws, it will likely take a long time for them to trickle down through all the affected projects.